Google Previews Gmail Encryption

Gmail users will soon be able to encrypt their messages easily with End-to-End, a free Chrome extension.

Google I/O 2014: 8 Things To Watch

(Click image for larger view and slideshow.)

Google on Tuesday introduced software called End-to-End to encrypt Gmail messages in transit and simultaneously published data about encryption usage by email providers, as if to shame companies with indifferent security practices.

In a blog post, Google security product manager Stephan Somogyi characterized the company's effort simply as an attempt to "help make this kind of encryption a bit easier."

But Google's action follows a year of revelations about the extent to which intelligence agencies can access electronics communications. The documents leaked by former NSA contractor Edward Snowden have made businesses and individuals reticent about trusting their information to third-party service providers.

Thus we find Google encouraging other online service providers to do more to protect customer data. By naming names -- last month, less than 1% of email sent from Gmail to comcast.net addresses remained encrypted, for example -- Google may be able to hasten industry adoption of encryption and restore faith in cloud computing, upon which much of its business depends.

But Google cannot unilaterally secure the Internet. In its Transparency Report, the company acknowledges that while encryption makes snooping on messages in transit more difficult, it does not make it impossible. In addition, email messages can be read once they've been delivered, through malware or other means.

According to Google, 69% of messages from Gmail to other providers, and 48% of messages sent to Gmail, support encryption through Transport Layer Security (TLS).

Google's gambit appears to be working already. On Tuesday, Comcast said it is testing encryption for customers' email messages and intends to begin deploying the technology in a matter of weeks.

Google's embrace of encryption will have a downside for the company: Messages encrypted on Google's servers cannot be scanned, eliminating their use as a source of ad-targeting data. However, given how much Google already knows about its users and the fact that it expects only the security-conscious minority to install its encryption software, the company's ability to target ads isn't likely to be much degraded.

Google's encryption software is not yet ready for mainstream use. The company is offering it as alpha code so it can be tested. Those who find bugs in the code can submit them for a possible reward through the company's Vulnerability Reward Program.

When End-to-End is ready to be released, Google plans to offer it through its Chrome Web Store as a Chrome browser extension. End-to-End is based on OpenPGP, an open protocol for encrypting messages through public key cryptography.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant?Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Maybe Google will do what they promised to but what about an informations sent via other channels? Protect your privacy by using independent programs. If you are using a cell with Android system, just download mySecurePhone - software to encrypt outgoing emails, texts and calls. Good thing is that mySecurePhone is compatible with any email account.

Ok, so this is new for Google that they might offer encryption (assuming you trust the extension... do you?). I wonder how it will really work though. Will Google be offering to keep track of your private or public keys for you perhaps? After all, keeping keys in cloud storage protects you in case of loss, so let's get those all stored somewhere handy like GoogleDrive. Nicely done ;-)

Seriously though, PGP has been around for the longest time but it just hasn't caught on not least because it's a pain in the backside to use for most people. I suspect that PGP's "web of trust" concept is about to be blown wide open by people who will just sign off on anything they see rather than actually validating the keys. So just wait for the first exploit of that.

I also wonder whether we'll see corporates - many of whom still allow gmail/webmail access from their networks - shutting down access to gmail totally if this extension becomes popular.

@micjustin33, that a good point, and as more and more providers begin to offer encryption as a standard, this will cause spear phishing to become increasingly difficult. At one point spear phishing will become a zero gain operation, and then after the tipping point is crossed, spear phishing will become a lose making practice, once that happens, encryption and security would have won at least on one front.

I think Zixmail is a completely different email provider, like Yahoo Mail, with its own extension. Or does Zixmail have the ability to encrypt outgoing mail from a Gmail account? If not, then Zixmail is just a third party tool in the app store.

Great point -- huge amounts of capital, trumps capital. And I have a feeling that Google will be gaining more user data, than it will be losing from encrypting Gmail messages, because users that desire a higher level of security and are using for instance, Firefox, will have to move to Chrome and in exchange, Google will gain their browser data.

Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.

Among 688 respondents to our Mobile Application Development Survey ó up from 350 respondents in 2012 ó 46% have deployed mobile apps, with an additional 24% planning to in the next year. Whatís the holdup for that remaining 30%? Often, itís a lack of expertise.